After the Advocate General’s Opinion last week, we waited in trepidation for the Court of Justice of the European Union (the “Court”) to rule on transfers of personal data to the US under the Safe Harbor Framework. Not entirely unexpectedly, the Court held this morning that Safe Harbor is invalid.
Interestingly, however, the Court has not followed the Advocate General in his view that EU Data Protection Authorities (“DPAs”) should have the discretion to suspend transfers based on an adequacy decision by the EU Commission. Instead, the DPA should refer the matter to the Court for a preliminary ruling.
A quick word on the future before we examine the ruling in detail: although strictly speaking, transfers to the US are unlawful as of this morning, it seems pretty unlikely the internet will suddenly be switched off.
The Safe Harbor arrangement was fundamental to the commercial relations between the EU and the US, with vast amounts of data being transferred every day. After the Snowden revelations, the Commission and the DPAs agreed that Safe Harbor needed improvement, and the US and the EU have been working on its renegotiation. Rumours are that this “Safe Harbor 2.0” is expected to be put before the EU Parliament for its agreement shortly. The Court’s ruling must, therefore, be viewed in the context of this renegotiation process.
In the meantime, we expect the Article 29 Working Party and the DPAs will release their views on how organisations should respond to the Court’s ruling. Enforcement action seems an extremely remote possibility, at least in the immediate future. We anticipate companies will be given time to consider the most appropriate alternative solutions for them – and hopefully the EU bodies will now be spurred on to agree Safe Harbor 2.0.
Article 25 of the EU Data Protection Directive (the “Directive”) restricts transfers of personal data outside the EEA, unless certain conditions are met. One of these conditions is that the receiving country ensures an “adequate level of protection” for the data. Under Article 25(6), the Commission has the power to decide that a third country does ensure an adequate level of protection, by reason of its domestic law or the international commitments it has entered into.
In 2000, the Safe Harbor Framework was agreed between the Commission and the US, enabling US companies to self-certify that they would comply with the Safe Harbor principles when receiving personal data from the EU. Under Commission Decision 2000/250, compliance with these principles was considered to provide an “adequate level of protection” for the data, as required by Article 25 of the Directive.
After the Snowden revelations regarding the NSA’s mass data gathering and surveillance activities, an Austrian student called Max Schrems raised a complaint with the Irish DPA regarding Facebook’s data transfers under Safe Harbor. The Irish DPA then issued a referral to the Court, asking firstly whether DPAs had the power to question a Commission adequacy decision, and secondly whether Decision 2000/250, in respect of Safe Harbor, itself was invalid in light of the Snowden revelations.
The decision of the Court
The Court declared the Commission’s adequacy decision invalid on two grounds:
- that the Commission did not, in fact, state that the Safe Harbor framework ensured an adequate level protection, by reason of the US’s domestic law or the international commitments it has entered into (as the Commission was required to do under Article 25(6) of the Directive). The adequacy decision was not reliant on any rules of US law which either limited interference by US government agencies, or gave effective legal protection against such interference; and
- the powers granted to the European DPAs under the Safe Harbor decision to suspend data flows to the US were too restrictive and had too high a threshold for intervention. The Commission is not empowered to restrict the DPAs’ powers in this manner, and thus the Commission had exceeded the discretion given to it under Article 25(6).
It is interesting to note that it was not the Safe Harbor principles themselves which the Court questioned (in fact it did not examine them at all). Instead, the Court focused on the derogation in Safe Harbor which enabled the relevant companies to disregard the Safe Harbor principles when passing data to the NSA.
Under the Safe Harbor Framework, a company would not need to comply with the principles “to the extent necessary to meet national security, public interest, or law enforcement requirements”, or “by statute, government regulation or case law that create conflicting obligations or explicit authorisations” – provided any such non-compliance was limited to the extent necessary to meet the overriding legitimate interests furthered by any such authorisation.
The Court found that this derogation enabled US government agencies, who were not themselves subject to Safe Harbor, to process personal data: (i) in a way incompatible with the purpose for which it was transferred; (ii) beyond that which was strictly necessary and proportionate; and (iii) and without giving individuals any administrative or judicial means of redress. The fact that this generalised access to personal data was permitted by US legislation meant the US did not, by reason of its domestic law or international commitments, ensure an adequate level of protection for the data.
Furthermore, since the DPAs’ powers under the adequacy decision were so restricted, they were unable to exercise the powers granted to them under Article 28 of the Directive to uphold the protections granted by the Directive – including the right to ensure adequate protection in third countries, under Article 25.
In reaching its decision, the Court relied (as it is increasingly wont to) on the Charter of Fundamental Rights of the EU (the “Charter”). The Court repeatedly emphasised that the Directive must be read in light of the fundamental rights to privacy and data protection in Article 7 and 8 of the Charter, and the right to an effective remedy in Article 47. The power of the Charter is becoming increasingly clear as a means for the Court to reach a decision which puts privacy rights above all else.
In summary, therefore, the Court ruled that the Safe Harbor adequacy decision is invalid. As a consequence, any transfers of personal data to the US which are reliant on Safe Harbor alone (and not on any of the other mechanisms or derogations) are unlawful.
The power of the DPAs
In contrast to the Advocate General’s Opinion, the Court did not find the DPAs could themselves decide that a Commission adequacy decision was invalid, and suspend transfers accordingly. The Court emphasised that only it had the power to declare an EU act invalid, in order to protect legal certainty.
However, a DPA which receives a complaint from an individual questioning the protection of their fundamental rights and freedoms under an adequacy decision must carry out an investigation to determine if the complaint has merit. If the DPA considers the complaint is valid and the adequacy decision is open to question, it should refer the matter to its national courts to request a preliminary ruling from the Court. An individual whose complaint has been rejected by the DPA should also have the ability to challenge the DPA’s decision before his/her national courts.
This aspect of the decision is good news for multinational organisations, many of whom had feared a rise in DPA activism, with DPAs blocking transfers on their own initiative to other ‘white list’ countries such as Switzerland or Canada, or those based on the Model Clauses. This also allays fears that Safe Harbor 2.0, if and when it is agreed, would be immediately open to challenge by the DPAs.
What should you do?
First of all, don’t panic, and don’t rush into anything. The DPAs and the Article 29 Working Party will have to respond to the ruling, and should provide us with a better picture of what they expect organisations to do. It also seems highly likely that more information will quickly emerge about the progress of Safe Harbor 2.0. Provided organisations are active in reaching a solution, we think it highly unlikely the DPAs will begin any enforcement action in the immediate future.
However, you should consider the alternative transfer mechanisms and which of these would be most suitable to your organisation. Model Clauses? Binding Corporate Rules? Bespoke clauses approved by the Commission? Or one of the permitted derogations in Article 26, such as consent or performance of a contract?
Model Clauses are clearly the quickest solution, but they do contain some fairly onerous obligations – particularly in respect of sub-processing – and so should be read with care. Binding Corporate Rules can be a great tool for large organisations, but could take one or two years to put in place. Finally, take care before falling back on consent, as the DPAs have always taken a very narrow view on the scope of consent to data transfers.